Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

firewall filters - solid?

Post Reply
 
fobo
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:31 am

firewall filters - solid?

Fri Feb 23, 2024 4:18 pm

Hey,

I initially setup my firewall rule with the intention to have a single "drop" action at the end of the input and forward chain and only "whitelist" the traffic that I want to allow. However, since this is the first time I am doing this, and the wiki page (https://help.mikrotik.com/docs/display/ ... LANdevices) mentions some more drop rules and a fasttrack-connection, I got unsure. Could somebody check if my firewall rules are solid and what kind of optimization would make sense?
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" src-address=192.168.100.0/24
add action=accept chain=input comment="Allow BASE Full Access" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN DNS Server Access" connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state=new in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state=new in-interface-list=BASE out-interface-list=VLAN-LOCAL
add action=accept chain=forward comment="Allow VLAN Internet Access" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow IOT SMB Access to NAS" connection-state=new dst-address=10.0.10.11 dst-port=445 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow X1 Access to Surveillance Station" connection-state=new dst-address=10.0.10.11 dst-port=9900 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to Surveillance Station" connection-state=new dst-address=10.0.10.11 dst-port=9901 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to File Station" connection-state=new dst-address=10.0.10.11 dst-port=7001 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to Home Assistant" connection-state=new dst-address=10.0.10.11 dst-port=8123 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Surceillance NTP Access for timesync" connection-state=new dst-port=123 in-interface=surveillance-vlan out-interface-list=WAN protocol=udp
add action=accept chain=forward connection-state=new dst-port=53 in-interface=surveillance-vlan out-interface-list=WAN protocol=udp
add action=drop chain=forward comment=Drop
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: firewall filters - solid?

Fri Feb 23, 2024 4:50 pm

Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related & untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="handshake WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" src-address=192.168.100.0/24  in-interface=wireguard
add action=accept chain=input comment="Allow BASE Full Access" in-interface-list=BASE
add action=accept chain=input comment="VLAN DNS Server Access"  dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="VLAN DNS Server Access"  dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow VLAN Internet Access"  in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE access to all VLANs"  in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="Allow BASE access to all VLANs" in-interface-list=BASE out-interface-list=VLAN-LOCAL
add action=accept chain=forward comment="Allow IOT SMB Access to NAS"  dst-address=10.0.10.11 dst-port=445 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow X1 Access to Surveillance Station" dst-address=10.0.10.11 dst-port=9900 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to Surveillance Station"  dst-address=10.0.10.11 dst-port=9901 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to File Station"  dst-address=10.0.10.11 dst-port=7001 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to Home Assistant"  dst-address=10.0.10.11 dst-port=8123 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=drop chain=forward comment=Drop
....

(1) These two rules were removed as they may be bogus.
add action=accept chain=forward comment="Allow Surveillance NTP Access for timesync" dst-port=123 in-interface=surveillance-vlan out-interface-list=WAN protocol=udp
add action=accept chain=forward connection-state=new dst-port=53 in-interface=surveillance-vlan out-interface-list=WAN protocol=udp

(2) If the surveillance vlan is part of the VLAN interface list, this traffic is already permitted by:
add action=accept chain=forward comment="Allow VLAN Internet Access" in-interface-list=VLAN out-interface-list=WAN

Further, the Router has its own NTP server and Client which is already available so not sure what your are doing.........
If you need devices to make use of the ROUTER NTP, set it up and modify the input chain rule to as follows..

add action=accept chain=input connection-state=new dst-port=53,123 in-interface-list=VLAN protocol=udp

(3) Not sure what you are doing with dns port here in the forward chain?????
Top
 
fobo
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:31 am

Re: firewall filters - solid?

Fri Feb 23, 2024 7:33 pm

Further, the Router has its own NTP server and Client which is already available so not sure what your are doing.........
If you need devices to make use of the ROUTER NTP, set it up and modify the input chain rule to as follows..
I setup a local NTP server/client and it seems to work fine and used a static DNS entry for time.nist.gov and time.windows.com to point to my local NTP server. Hope that is the way to go :)
(3) Not sure what you are doing with dns port here in the forward chain?????
Thank you, removed!

Could you please help me understand a couple of rules better?

Why the additional drop rule on input would make sense, aren't those packages filtered in the general drop fule at the end anyway?
add action=drop chain=input comment="drop invalid" connection-state=invalid
Why are untracked packages not fast-tracked, but in the acceptance rule?
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
I noticed that you removed the Connection State "new" in forward rules. Could you please explain why it is not required?
Top
 
tangent
Forum Guru
Forum Guru
Posts: 1404
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: firewall filters - solid?

Fri Feb 23, 2024 8:56 pm

used a static DNS entry for time.nist.gov and time.windows.com to point to my local NTP server. Hope that is the way to go :)

Ick. Set ntp-server in the DHCP server’s network configuration instead. Any reasonable network stack will obey that in preference to its default.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: firewall filters - solid?

Fri Feb 23, 2024 10:54 pm

1. Okay separate NTP server, not sure why you bother as the router already provides this, and thus all devices including the router are in the same sync.

2. The invalid rule ensure that any new traffic is caught and discarded before hitting any other rules.

3. Every time a connection is new, it is new, it goes without saying................
After the first packets are processed the rest of the connection is typically established/related or in the case of the forward chain also fast tracked.
In other words for a given connection it only gets caught in a rule one time and the rest of the time doesnt go beyond established related etc.........
Therefore any rule that hits a rule beyond it is new. No point in saying it really. (nothing gained).

4. Fastrack works is applied to already tracked connections, it has no capability to handle anything untracked ( nonsensical ).
Top
 
fobo
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:31 am

Re: firewall filters - solid?

Sat Feb 24, 2024 10:04 am

Ick. Set ntp-server in the DHCP server’s network configuration instead. Any reasonable network stack will obey that in preference to its default.
Thank you, was not aware of this option - much better :-)

Understood. Thank you - your input and help is highly appreciated.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 13 guests
  4. RouterOS
  5. Beginner Basics